Unrelated to the article but seeing .tk brings back many memories. As a kid without a bank account let's alone an international credit card (VISA/Mastercard), dot.tk is the only way to put a website online with your name. I created countless of websites with .tk for classmates, school and families.
Same here. .tk was the only one back then that allowed you to have your own domain name without subdomains. My memory is that:
1. freeserver.com/~userna <- This was the first URl you could have, sometimes with something inside another directory (freeserver.com/users/u/~usernam).
2. username.freeserver.com <- This wasn't that bad but it didn't look professional. Tripod used to do this.
3. username.fs.com <-- A service with a short domain that provided free subdomains. This was similar to 2 but shorter. Some of them allowed you to chose the domian part.
4. username.tk <-- Among all the free options, this was the best one by far.
Then we grew up a bit and started paying domains :')
I remember one around the year 2000 that gave you yourname.com for free but it would host your site in a frameset with a bottom frame serving banner ads. IIRC it was called NameZero, but I don't think it lasted long.
That was definitely NameZero. Their problem was they had no way to control what you ran inside your frame, so everyone ran a well-distributed code snippet that removed the ad frame.
Similar to Angelfire, which only inserted ads into the top of .html files, so you just built your entire site as .txt files and rely on the browsers "be lenient in what you accept" to render it as HTML.
The problem with .tk was that it would inject ads into your content. And the whole TLD was filled with low quality spam and hacks. I never liked it.
$7/yr for a domain was one of the very first internet purchases I made. Then that set me down a path of finding free dynamic DNS services. For a short time my website and Invision forum were only online when I was, but I felt like I'd beaten the advertisers.
oof. We didn't even have the Internet, nevermind Google. Kids these days will never even know what it was like pre ChatGPT. programming and even just computers alone was hard back in the day.
Hard?! You'd generally have one or two medium size books that documented the whole environment including corner cases, very few or no third party libraries, no frameworks, no autoupdates, just programmers living their best lives. If anything ChatGPT is filling the hole created by poorly documented "open source" churn.
from my perspective, I can just ask ChatGPT to give me code to whatever and it gives it to me. way easier than figuring it out for myself. hell, with openinterpreter, I can just tell my computer to fix my python shit for me. sure, there weren't me frameworks every week,
so knowing C++ and MFC was a sure thing, but it's so much easier today. python points at the character of the exact line of code that's throwing the error. no more spending hours of your life to find a missing semicolon, unless you try using rust (seriously, the difference between OK() and OK(); is material? I mean I understand it now after the fact but ungh).
you can't grep paper books, at best you can look things up in the index. even without ChatGPT I can ask Google and get stack overflow and just copy and paste without having to think deeply within minutes. if I'm just trying to get something out there, why do it the hard way? there's still need for the hard way (eg, I'm currently fighting Ida pro for a thing), but there's just less of a call for that.
de.vu always rubbed me the wrong way because it kinda looked/sounded like DVU, a far-right political party that eventually merged with the neo-nazi NPD (which, fun fact, recently rebranded itself as Die Heimat - Homeland). To be fair, the party didn't have much political relevance for most of its history but it did manage to win seats in some state (Land) parliaments in 1998, 1999, 2003, 2004 and 2007 so it did come up in the news around the time those domains were most popular.
On the other hand, .tk was in my mind mostly associated with German hobbyists and piracy. I think my old StarCraft/CounterStrike clan had a .tk domain at one point.
Those sites are still up, the control panel is at freeservers.com my Site davinder.8m.net is still up after 22 years. I chose .net because it was cooler than .com :)
I believe you don't have to do anything to claim copyright, other than make it yourself. One vague legal source I just read says that adding the copyright symbol and notice means you may be entitled to more damages if someone infringes on your copyright though.
I remember in the early 90s telling Mom that I built my own website. Mom was like noway that's impossible. I can't remember exactly where it was but it was like zoogatyler1.go.com or something. I think it was owned by Disney? I must have been around 7 or 8 but I remember being so excited. I think it was more of a homepage than anything. I started delving into those .tk sites when I was around 11 or 12 probably.
I launched one on a compuserve domain (I think) around the same time. Built it with FrontPage Express that came for free on a cd with a magazine my dad bought. Day after I launched it I had like 20 emails from random people with questions & comments about the site, crazy. Build it and they will come was def a thing.
Later on in the UK I put a site on a madasafish domain.
same - I remember hosting a small web server from a crappy pc at my parents house and using a .tk to serve the site.
Probably not the smartest thing to do at the time since I may have opened up all ports on the router to get it to work, lol. No https. No security. No moderation. Copy and pasted some html from a site that I thought was cool, search and replaced text to make it my own.
It was kind of like a microblog before twitter, fb, ig, blogspot, tumblr.
I definitely had a .co.nr domain before a .tk. I think I also remember (I was likely 13, so its been a while) that they had an "English" test question on the sign up form that read something like "A Britney Spears is a:" and one of the options was "Hamburger".
Looking back this could have been to slow robots down, but I distinctly remember one if the terms being you speak and host English content.
Another service I used a lot was " dominosfree" which had a bunch of .gs domains that looked like CC-tlds. I used .ca.gs a lot.
Same here! I remember registering a .tk domain for a school project I was working on at the time, my friends were all so impressed when I showed them it was available as a website they could visit in their browser
It's interesting seeing it parallels the problems with .tks today-- I remember using cjb.net to make my own LOVE@AOL websites and phish AOL users telling them that a crush liked their account. Easiest money a 12 year old ever made.
I used to host my websites wherever and then having a redirect to it. Two I remember was pagina.de/dr.enima (roughly translates to site of dr.enigma, my nickname back then) and i.am/supermatrix - a website dedicated to the movie the matrix which I love.
I think both of those pages were hosted in geocities and had pretty long urls...
In South Africa you could get a za.net domain for free. They stopped new registrations quite some time back as the spam era of the internet was getting started. I still have my domain and use it for all sorts of different things. From email to experiments.
i share a similar story but today we don't seem to have any alternatives. it is a shame really but i wonder if there is something else that does not involve freenom today.
The people complaining that Cloudflare hosts these criminals would be the first ones complaining that Cloudflare has too much power when taking down websites it doesn’t like.
You can’t win with these people, I personally think this is the best outcome and shows our systems work (albeit slowly). Sure it took a while, but now there doesn’t have to be a precedent of Cloudflare acting as the internet police more than it has to.
This is the classic fallacy of assuming that because you see comments of type A and comments of type B on the same forum that means they're the same people. They're usually not.
A more accurate way to phrase this is "you can't win with ... people". Whatever you do will end up ticking off some subset of the population.
There’s a similar problem I encounter from time to time: when I self-identify as “conservative” and express opinion C, many people assume I also hold opinions D, E, and F, because “that’s how all conservatives are”.
There's one great piece of advice: "Keep your identity small" [1].
(If people ask me about my political affiliations, I usually answer something like "Hamilton for president! Of maybe Jefferson."; this kind of statesmanship is hard to find now though.)
They are not many multitudes in the US. Good on you, but my experience is that most people stick with one group and regurgitate the party lines. I think this comes mostly from very polarized TV shows.
Likewise, if you disagree with them, they instantly assume that you are with the other group. It is strange.
The two-party system easily evokes the ancient knee-jerk reflexes. The millennia-old "us against them" tends to eschew any nuance and instill the war mentality. Either you are "one of us", and subscribe to the bulk of "our" views, or you are "one of them", and are assumed to subscribe to the bulk of "their" views.
“These people” is presumably a set of people quick to find fault in anything a corporation does, which could be a superset of those two groups. Not sure what kind of fallacy that’s supposed to be.
Those people are in the noise and nobody cares what they think once they realize they just criticize for the sake of it.
That doesn’t change that people seem to think the top upvoted comments being contradictory from day to day represents some kind of inconsistency in the views of the commenters on this site.
> The people complaining that Cloudflare hosts these criminals would be the first ones complaining that Cloudflare has too much power when taking down websites it doesn’t like.
It'd be interesting if you could point to a single example of someone taking both sides. I strongly doubt these are the same people.
If you're asking me to personally identify someone, no I'm not going to do that. However if you want to see some hilarious hypocrisy, go ahead and see who said what when Cloudflare banned 8chan.
Well CloudFlare already does exactly that. It already set the precedent you are referring to. That's why it feels odd that they don't shut down literal criminals too. They have no issues with shutting down stuff, but they are famously very lax when it comes to actual criminal stuff. I'm not trying to say that they were wrong or right for engaging in content policing, what I'm saying is that the precedent isn't new.
There is no contraposition. In both cases, big company simply does something it wants.
This comparison actually highlights that there is no “system”, because some (imaginary) impersonal entity decides that those bad actors are allowed, and those bad actors are not allowed. Some public sensibilities are given as a reason, but no one is actually asking anyone's opinion on anything. Still, there are people who believe that Santa Claus brings presents for free, and that the whole thing is not governed by typical hypocrisy and typical politics behind closed doors. The thing is, you've built a turnpike, you can now bargain with people interested in sharing control over that turnpike.
The internet is a global system that spans ~all jurisdictions, and most internet criminals live in jurisdictions that don't prosecute internet crimes as long as the bad actors leave citizens of their own country alone.
So they're criminals as far as the US and allies are concerned, but de facto not criminals where they live. If they're going to be locked out of the system, it has to be by the infrastructure, because their government has no interest in stopping them.
I see. Perhaps there should be a legal framework to get the government to demand companies like cloudflare stop serving these international criminals, then. That way it wouldn't depend on a private entity making the judgement.
Do you ever think it's weird that we have gone through web 1.0, web 2.0, semantic web, intertubes clogged with spam bots, web 3.0: crypto edition, and the dawn of AI scraping, and we still haven't figured out these issues?
Which government do you mean when you say "the government"? Any national government? Only the US government? Only governments in which the US is friendly and/or has agreements with?
Would you want authoritarian governments to be able to demand Cloudflare stop serving those they consider criminals that are outside their borders?
I again ask: is it desirable for any of those countries to be able to unilaterally force a company to enforce its laws regardless of where the individual in question is?
If the equipment is in country X, it seems reasonable to enforce the rules of country X. Plenty of companies refuse to operate in specific countries, including China, because they don't want to follow rules of that country.
If CloudFlare chooses to do business in China, that's a choice they're making and it comes with consequences.
Maybe they can offer service where customers will only be served from equipment outside of China, maybe that's not something they choose.
Are you American? Because that sounds like such an American idea of how the world works.
To answer your question: most malware actors can be traced back to Russia, what exactly do you think "sending the cops" after them will accomplish and if the answer is "nothing", then does that mean you don't think they can be called criminals?
It doesn't need to be physical cops. What I mean is that if crimes are being committed, the legal system should initiate a process that either puts them in jail (which as you say may not be possible) or ends up with cloudflare banning and other internet companies blacklisting them. That way, the burden of judging criminality isn't on random companies but on the appropriate authorities.
Cloudflare shields criminals from cops. They do so because of "free speech" or whatever. There was recently a story about a swatting victim, who tried to get the forum the swatters use to shut down. Cloud flare refused to give the identity of the criminals, the case even went to court and the victim lost and now apparently has to pay court costs.
Our legal system is unfortunately not perfect, which is why it matters what infrastructure providers do.
Do they enable criminals by shielding them from the police? Or do they have policies in place that prevent abuse of their service?
With Cloudflare, I'm pretty sure they lean towards the former.
Which is a catch-22, because subpoenas / warrants for collection of digital information have to name a specific intended target (a real legal identity under suspicion, not some pseudonym) — and "the real legal identity of the suspect" is exactly the thing that Cloudflare's proxy-shielding prevents you from learning. Courts won't act until they have some specific individual to act toward.
(This is also why, whenever you hear about e.g. police stings on Tor forums, they never mention requesting courts to issue warrants to ISPs for collection of e.g. traffic-analysis-correlation info about locations of servers hosting illegal content. Instead, this de-anonymization step is something they always have to achieve extra-judicially, usually by contracting a private network threat intelligence firm.)
Or you don't hear about the methods they are using for deanonymizing because they would get the cases thrown out of a court. Warrantless wiretapping and the like... And the private firm is just lying for them so law enforcement can do parallel construction.
Is the website illegal? Or maybe the police need to deal with spam calls more sensibly. Presumably they can trace where the calls are coming from in real life
wait, are you mad cloudflare decided not to be an active participant in a doxxing campaign? Swatting is awful but I'm inclined to side with cloudflare here.
I'm mad that they offer anonymity to criminals. If you offer a service that lets people hide their identity, you ought to perform a bit of due diligence.
People who want to live in a just world often get in the way of things. I'm just not sure why you're mad at those who want justice and not those who put profits above all else?
> that Cloudflare hosts these criminals
Oh.. it's not that they host them, it's that they go out of their way to protect them, and the profit streams associated with them.
There are tons of shady websites hiding behind cloudflare's services. Some used .tk domains too but just in general, many shady websites are hiding behind Cloudflare and at least I know from personal experience if you contact cloud flare about it, they pretend not to be home.
"We do not host the website" was always there response, while that is perhaps technically true, arguing if they shut down the reverse proxying for that website it would be at least offline, never worked.
Cloudflare is a US company. If they provide hosting (or reverse proxying; I don't think there's a material legal difference) services for anything illegal under US law, shouldn't it be possible to compel them to stop doing that through the legal system?
And if this is about not-illegal-but-objectionable content, I'm actually glad that as an infrastructure company, they're choosing to not get into the business of content moderation.
> if this is about not-illegal-but-objectionable content, I'm actually glad that as an infrastructure company, they're choosing to not get into the business of content moderation.
Agreed. There's one other subset you didn't mention: "Clearly illegal but not yet handled in the court of law". Cloudflare again has a pretty hardline stance that "the courts need to come to us and force us to take it down"
It's not reasonable. 99% of scams, frauds and harassment will never be subject of legal action, because there just aren't enough prosecutors out there to charge every fraud attempt.
If you require a court ruling before blocking a fraud, it means you will keep hosting 99% of frauds.
If it's clearly illegal, what prevents it from being handled in any court of law? If it's not actually as clear, preemptive/overzealous compliance can lead to all kinds of undesirable (in a liberal democracy) effects.
I also doubt that Cloudflare lets every single analogous issue bubble up to a full court case every single time, but for new/unclear/borderline scenarios, I'm glad that courts don't get to outsource their duty, i.e. determining the legality of actions, to a for-profit organization without public oversight.
Maybe that commentator lives in a country without common law, so precedent doesn't matter, but in a country like the US a law without precedent is considered "untried" and a lot of the details are worked out when the law is first enforced.
If the legislature doesn't like the court's interpretation, they can then amend the law and the process restarts.
So basically, at least in the US, nothing is clearly illegal until it is handled by a court -- so yes I think you're right
They can. You can also subpoena them for information on an account, there are literally lawyers with blogs talking about how to do this. The people complaining essentially think that they should have the right to take anything they want down with an abuse report.
A while back there was an interview with someone at Cloudflare and they were asked what about these Al Qaeda sites you guys are in front of, dude just answered "no comment". Seems that at the time they didn't ask many questions at all, like you said cause they don't want to go in to content moderation.
Thank god, .tk caused so many headaches for us, truly a cesspit of a tld. The rate of fraud and abuse on our platform was staggeringly high from it, it was close 99%.
It would follow that Cloudflare is tacitly admitting they have been / are hosting a large number of domains used for fraud and abuse. That surprises me, given the time and effort they spend mitigating fraud and abuse. Anyone care to explain what I'm missing?
> That surprises me, given the time and effort they spend mitigating fraud and abuse
What time? What mitigations?
Cloudflare will proxy anything and then tell you "we're just a proxy, so we wont do anything lol" when you report anything other than cf pages. Doesn't matter if it's terror groups, animal torture, piracy, doxing, far right groups, etc.
I have personally submitted abuse reports and seen that absolutely nothing happens.
Oh and also the amount of abuse I see from people using Cloudflare Warp is also very high.
Depends on what you're trying to achieve, I think.
Cloudflare's policy is that if there's ToU-violating content being served through a Cloudflare-proxied domain, you can report it to request de-anonymization of the domain, so that you can then reach out to the actual host.
I've reported Cloudflare-proxied phishing-site clones of my company's website to Cloudflare, and they've usually come back to me with a pointer to the upstream-origin's ASN/ISP to reach out to within a few hours.
> the amount of abuse I see from people using Cloudflare Warp is also very high.
More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
That's quite surprising, since Cloudflare makes no such promises and markets Warp as a security/performance improvement tool, not an anonymity-providing one. I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
> More so than from "traditional" VPNs (i.e. the ones claiming to keep "no logs and never selling your data")?
Yes, because it is a free service, an easy and free way to just hide your ip address. You don't even need an account.
> I think at least for a while, Cloudflare-hosted sites would even bypass it entirely and they'd get the real underlying client IP.
Correct, this used to be the case, but no longer is as far as I can tell. But even with that, it was an issue for non-Cloudflare websites and services that are being attacked that aren't HTTP(S) (e.g. SSH)
Are they responsive at all to abuse notifications about their VPN users? Presumably the only thing they could even do is to block an upstream IP address, given that it doesn't require an account.
Yeah, because of the pressure after it all blew up. They even said in their own blog post that it was an "extraordinary" decision and did not believe terminating them was appropriate.
Kiwi Farms used their services for at least 6 years before anything happened.
I was thinking particularly about the DDoS protections they advertise (and explain in lovely technical posts on this site). So you're saying that they protect their network from others, whilst disregarding harms their clients cause to others. That was something I was missing, so I thank you.
Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites. Back when CDNs were all "call for pricing" affairs.
Cloudflare had the insight that the more DDoS-for-hire services there were out there, the greater the demand for their services. Offering free DDoS protection to DDoS-for-hire services helps keep customers coming back for more.
> Before cloudflare, it was difficult to run a DDoS-for-hire service because competing services would all DDoS each others' websites.
I mean, you don't need websites to advertise. Most DDoS-for-hire services back before 2009 advertised on IRC, NNTP, via ads in .NFO files found in warez releases found on Kazaa and BitTorrent, and so forth. (Some of the very tech-headed ones ones had Freenet sites.)
Shouldn't be a surprise, there is a tight relationship between Cloudflare and the booter community. I remember every booter site or similar was always behind Cloudflare, I think it was a common practice because it didn't seem like Cloudflare cared about these abusive sites.
It seems at least plausible to me that either there would be even more fraud and abuse than there already is without the time and effort to mitigate it, or that maybe their mitigation is not as effective as they'd like. This isn't meant to contradict the other theories being posted here; I don't really have any experience specific to this area, so it's possible I'm just being naive.
Yeah, I find this whole thread a bit odd. Cloudflare has been a highly regarded service for years, and suddenly people are blaming them of running a protection racket, without providing a single source or piece of evidence (or a presumably more ethical alternative, for that matter)?
As they say, extraordinary claims require extraordinary evidence…
> admitting they have been / are hosting a large number of domains used for fraud and abuse
Only if the abuse happened through them. Perhaps they were just hosting holding pages, and the traffic was pushed elsewhere when active scams were running?
> surprises me, given the time and effort they spend mitigating fraud and abuse
They mitigate it incoming as one of their features for their customers. That doesn't mean they are going to mitigate it outgoing quite as fiercely. Though I'd assume they'd made some effort at least to maintain a reasonable reputation for their IP ranges.
I've heard people bring up that problem before. On one hand they protect sites from DDOS attacks and bad actors, but on the other hand they help keep the bad actors online.
If there's no abuse, nobody will pay their protection money.
I believe their primary focus is protecting the customers / proxied web servers, not the clients of said site. I suspect if one day the free accounts on CF went away there again we would lose a lot of scam sites assuming they don't accept Monero or similar and like .tk we would also lose some cool sites.
Cloudflare's market play has consistently reminded me of Facebook to Google's from the perspective of Googlers I know who moved to Facebook in early 2010s.
Let's do Akamai, but cheaper. Trying to stop everything bad is impossible anyway.
If you try to find evidence that Cloudflare mitigates fraud and abuse, you'll mostly find anecdotal evidence (sites that have been attacked and moved to Cloudflare, mostly) plus information and claims provided by Cloudflare, which is unverifiable. The problem is that nobody protects us, the Internet, from Cloudflare.
Cloudflare will happily take money from and host (yes, host - they host, in spite of their rather stupid and completely disingenuous assertions that they don't) spammers and scammers. They do all the time, and they have no intention of changing that any time soon.
If you forward phishing spam to abuse@cloudflare.com, guess what? Nothing happens. You get an automated response, but they do nothing about it. They expect you to visit a web page that has all sorts of intentional problems (intentional because they've been pointed out to Cloudflare and Cloudflare hasn't addressed them for years) that make the process arduous and time consuming. For one, they don't have "spam" as an abuse type. For another, even though they now literally host web content, and even though they're a domain registrar, if you don't paste in a URL pointing to a site hosted by their proxying product, then you can't submit your form. This means there's literally no way to complain to Cloudflare about domains for which Cloudflare is in WHOIS and SOA records, and for whom Cloudflare hosts DNS. The fields are limited to some particular size (2,000 characters? I forget exactly), and have issues where if you paste more than a certain amount of content but less than the hard limit, you can't submit the form. If you try to use the form more than once a minute or two, IT'S RATE LIMITED and you can't submit the form. Imagine that - they need to protect themselves from human-speed abuse reporting.
In other words, it's REALLY hard to use their site to report abuse to them, and they know this, and it's intentional, unless we want to believe that they just suck at understanding how to make a web page that works.
If they get enough complaints about a given phishing domain, they eventually take action, but it'd be after several days, which is more than the lifetime of a typical phishing campaign. In essence Cloudflare is one of the most popular phishing and spam-promoted hosting platforms because of Cloudflare's intentional foot dragging and claims to want to "protect free speech".
They got on my shit list years ago when they told me - not kidding - that they couldn't just take down a Bank of America phishing site when it was pointed out to them because of "free speech". In other words, they don't want to set a precedent where they can apply the tiniest modicum of common sense and take down phishing sites which any reasonable human on the planet can unambiguously recognize as fraud.
Bottom line: Cloudflare tells the world that there's SO much bad stuff out there, and you'll get in trouble if you don't use their products, and that's mostly true if you want to run phishing and spam-promoted web sites, so scammers and spammers use Cloudflare and are protected from those of us who would report those spammers and scammers.
For all the companies and individuals who use Cloudflare, many are fooled in to thinking they need Cloudflare when they don't and are just making their sites problematic for much of the non-western world while helping a wanna-be monopoly re-centralize the Internet around a for-profit company that has a history of profiting from scammers and spammers.
If anyone thinks Cloudflare legitimately protects the Internet by mitigating fraud and abuse, I'd be very interested to see evidence that doesn't come from Cloudflare that shows this.
1) not using DoS / DDoS protection, or using any number of hosting services that have this built in, or using a service that doesn't marginalize large parts of the world in the name of "security". DoS / DDoS attacks are not as common as Cloudflare would want you to believe.
2) use literally any other registrar / DNS service / hosting platform. You then won't need to worry about whether people all over the world will be getting CAPTCHAs on ever visit because of where they live or what browser they choose to use.
They don’t only offer DDoS protection, but also a WAF (Web Application Firewall), and if you run commodity software, attacks are very common.
I know this because I manage a WordPress site fronted by a different WAF, and I can see in the logs that malicious bots are trying to pwn the site basically 24/7.
(and before you say ‘patches’ – yes, but defense in depth is a thing, and you don’t always have the luxury of vendors with good security practices.)
Yes, Wordpress is attacked incessantly. It's designed to be actively hostile to security, so yes, a firewall that helps ameliorate is a good thing.
However, if you really care about Wordpress security, a WAF is just covering things up, and yes, you need to patch (but that's not really the fix). The proper fix is to reconfigure things to not follow Wordpress' absolutely ridiculous security. While patching depends on vendors, securing Wordpress from its own hubris doesn't depend on vendors.
But even where Cloudflare's products are arguably good, they still do too much in my opinion to marginalize non-mainstream visitors and to re-centralize the Internet around one big company. Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
WP core isn’t bad, the problem is when you’re the ops guy and you get handed an installation with 30 plugins.
Anyway, WP was just an example. Are you 100% certain that all your software is 100% on the ball when it comes to modern security practices? We all know that not everyone takes security seriously.
> Every time they have issues, huge parts of the Internet are affected. If I wanted a WAF, I'd get it from elsewhere.
Which ‘elsewhere’ would you suggest? Every time AWS, Azure or GCP have issues, the internet is affected too.
Spam and scams will happen no matter what. It will just be spread across the cheapest domain registrations that are still available now. The narrow and self-serving aspect that Facebook investigated, cybersquatting, should not justify killing off legitimate free domain registrations forever, at least in a better world where we more directly tackle these problems.
> You are free to hand out domains for free to strangers, if you so desire.
> Nobody stopped anyone from anything.
This is impossible, as we have just seen with the ICANN termination of Freenom. Turns out, the legal threats will kill it, even if other TLDs also have plenty of cybersquatting going on. There's realistically no way to repeat Freenom's success in giving out free domains without greatly heightened legal expenses now. It's gone, the fun is over.
Likewise, because of this legal pressure they will likely never allow a .free proposal -- which is to assign .free to an organization wishing to provide free domain names and foot the bill themselves, essentially becoming the LetsEncrypt of domain name registrars.
Essentially, yes. Freenom lost its registrar accreditation a few months ago, so all domain names will be forced by ICANN to go to another registrar. I'm assuming they saw no path towards getting it back, due to the difficult nature of complying with reporting correct registrant information for free users.
I said "No they didn't. It's good that seedy car dealership, the one that couldn't stop selling armored cars to Al Capone's crew for years, gave up and shut down."
You added "Cars don't kill people. People kill people."
I would disagree, I remember as a kid in the late 90s being able to host a website on one of the free hosting providers and then pairing it with a free domain name just made the whole thing that much more special. $10 or so a year for a paid domain name isn't a ton of money, but it can be for a kid with no credit cards and parents that aren't convinced as to why you "need" a domain name.
I don't think that would be a good idea. It would introduce an admin burden on the schools related to moderating/monitoring the sites. And they would more than likely overstep in one way or another, when enforcing their rules.
I was thinking state-administered. Public school enrollment would just be the precondition to access the program.
But sure, yeah, there'd be some admin time spent managing it. As with anything, there are plenty of reasons not to do it. It struck me as a low cost-to-impact ratio thing that could get kids into tech, but reasonable minds could disagree.
The only way it would work is if it was literally handled by the government, and the associated 1st amendment rules applied (so it wouldn't be moderated unless it was actually shut down by a court case).
It would result in rampant wildness and people complaining, but if you didn't do it that way the burden would be too high.
Cost would be negligible compared to a teacher's salary.
(1 teacher / 20 students) * ($50k / teacher-yr) = $2500 per student per year to fund teacher salary.
Compare that to $40/yr domain+hosting, which maybe 10% of students will use. $4/student-yr will not be the diffence between paying teachers probably or not.
Another way of looking at this is that scammers can probably afford to spend $5-10 on a TLD since it's just a cost of doing "business" to them, but many kids can't.
I was very happy about free TLDs back in the day as a teenager, since I could just try things out before having to convince my parents to let me use their credit card to register a proper domain name.
It's infinitely easier to spend $0 vs $0.01 if you're trying to be anonymous online. The criminals can certainly afford it but that also almost certainly means interacting with financial systems that leave a paper trail.
I doubt that that's any kind of obstacle to criminals.
At a quick glance, many registrars and hosters seem to accept crypto, and anyone can buy prepaid Visa and Mastercard cards anonymously for cash for the ones that don't.
> The affected domains represent a big loss for Cloudflare, with .tk, .cf and .gq previously accounting for 23.1% of all domains hosted on its platform – and nearly all of these have now gone.
I'm not sure in what way this is a "loss". I doubt cloudflare is losing money (or revenue) here. Especially if many of these domains are spammy, it seems like this is probably not much of anything for them.
This was my thought while reading this. Overall I think this is a net-win for CloudFlare. I suspect that exactly 0.00% of the 12.6 million domains they just "lost" were paying customers. Considering the people didn't want to pay for a domain, they probably weren't paying for a CDN either.
I'm sure Cloudflare will be able to wipe away their tears of this loss using the extra dollar bills they have from reducing their bandwidth costs.
Why do orgs feel the need to use these whacky TLDs
I’m still of the fence with rust using .rs in important places which is fundamentally in control of the Serbian government. You’re going to have to trust the Serbian government with signing .rs DNSSSEC at minimum and I don’t.
To be perfectly fair, the list of DNSSEC cock-ups is staggering. .nz ccTLD was taken down, IIRC, for 4 days after a bad KSK rollover just last year. I’ve seen prominent registrars with ‘automated’ DNSSEC fail to upload correct NSEC and RRSIGs. It’s not uncommon to see .gov domains go down because of DNSSEC. You’d think all these entities should get it right, but they don’t. Probably why many major tech domains such as google.com don’t use DNSSEC.
But to your point, using a ‘off-brand’ can really hurt sometimes. `.af` might be a cute marketing tactic, but it’s actually Afghanistan, and the Taliban play by a different rulebook. I believe it was `gay.af` that found that out the hard way. Tons of other stories.
I think .so is an even whackier choice and people are rushing to it. Why notion.com redirects to notion.so is beyond me. Probably couldn't buy it and pay only for a redirect?
That random world governments, many with judiciaries you can't access, control TLDs is a good reason not to use wacky ones. But DNSSEC isn't really part of that argument. Nobody trusts DNSSEC (the root keys could land on Pastebin and virtually nobody would even need to be paged), and the trust issue is the same before-and-after.
I started on the Internet in the (mid) 90s. Back then, it was already common among security conscious folks. A bit later, end 90s, you could buy a shell account for a couple of USD per month. You could run a BNC on it, or IRC client. It had various IPv4 with reverse DNS, this was called vhost. For example, you could end up with I.pwned.the.whole.eu.org and plays where TLD was part of word. Goatse.cx for example reads 'goatsex', Slashdot.org reads 'slashdotdotorg' or 'httpcolonslashslashslashdotdotorg', the founder of first Dutch consumer ISP Xs4all Rop Gonggrijp had gonggri.jp for ages (guess his email address). There are countless of examples.
Any of the OG TLD's, I wouldn't tie my domain to anything political at all outside of the US.
You already have to implicitly trust the US government when it comes to anything internet-related as all of the critical infrastructure is, whether you like it or not, American, so you might as well set up shop within US control.
The TCL maintainers switched their main URL to tcl-lang.org a while back because Freenom was so unreliable, although they've continued to serve tcl.tk as well with crossed fingers.
I really hope Tokelau chooses a reputable registrar going forward, and .tk becomes usable for serious people.
Oh, that is why I wasn't able to renew some domains I have used for 10+ years. I'm not even able to upgrade to paid domain.
I don't think it will help reducing malware/scams/phishing. But it will hurt students and young people that want to start in en development and aren't able to pay for a domain.
The article presents this as a loss - but cloudflare has a free tier, do we know if these were paid accounts? If cloudflare weren’t going to convert these users then this could be a gain.
If the users were using free domains instead of paying for a domain do you think they'd use paid cloudflare? The cost of a domain is so much lower than the cost of Cloudflare.
I could at least imagine a scenario along the lines of: penniless college student creates a site at a .tk domain. Later, the student gets a job so he is no longer penniless, and meanwhile, his site actually becomes popular, so he signs up for cloudflare, maybe even registers a .com domain, but keeps the .tk domain alive because that's where most his traffic is coming from.
Not sure how common that is. But I don't think it's a given that all sites hosted on .tk domains are unwilling to pay, especially not if you consider that they must be somewhat popular if they need a CDN.
(The sort of personal homepage that most of us had back in the 90s would never need a CDN because it would get 5 hits per week.)
I don’t know and that’s why I’m asking. Not paying for a domain is not a reason enough to expect not paying for cloudflare - these are different services. Also note that even not paying for cloudflare is not enough - I asked whether cloudflare intended to convert that segment.
Is it safe to assume that these were overwhelmingly on Cloudflare's free tier? I don't expect that someone who gets a domain for free is going to pay for hosting; if that's the case I don't see this as a big loss for Cloudflare, or am I missing something?
I would guess the same, that these are not Cloudflare customers but rather domains that happened to be configured on Cloudflare. CF probably just increased their profit margin a little by no longer handling all those free users.
I get .tk was popular because it was free and you do need a home for your website that’s portable across providers (not like a .netlify.app sub).
But like we learned from .af, any of these TLDs technically meant for a country need to be considered ephemeral. You are sort of borrowing it without explicit (or lasting) permission.
> You are sort of borrowing it without explicit (or lasting) permission.
To be fair, this is true of all domains. The broader concern with ccTLDs is this borrowing dynamic layered with whatever geopolitical situation the country is in, how stable the administering authority is with respect to the current regime, or just the political forces at work within the country that may lead to changes or requirements for the ccTLD within the country are registered. There is often a concern of DNS infrastructure and local bandwidth considerations for the data center in which the root nameservers are housed, assuming they are not outsourcing that.
It's not true of gTLDs though. You actually own those domains, and they can't be taken away from you (barring extreme circumstances) so long as you pay the registration fees every year. But domains on ccTLDs can be taken away from you by the government at any time for any reason.
I gotta say i find it extremely hard to believe that one can "own" a domain. This sounds like hand-waving. We don't own software, we barely own computers (to do with what we want), we don't own media.
Is this like "one can own land" but really that's asterisked with Eminent Domain (no pun intended)?
Real estate is a pretty good analogy for this, actually. You own domains on gTLDs in the same way that you can own property, but you have to pay your annual property taxes (domain registration fees) else you can lose it. But owning a domain on a ccTLD is more like renting property in a jurisdiction that doesn't have rent control; at any point the actual owner can simply say you're not allowed to use it anymore, and tough luck. Look at what happened to British .eu registrants, for example.
Also you can own all sorts of intangible things, so it's really not that foreign of a concept. You can own parts of the RF spectrum in your country, or mineral rights to a specific piece of land, or you can own a piece of intellectual property or a patent. Domain names are just another flavor of intangible property ownership.
Are you trying to move a .tk? I don't know if anyone can accept a .tk now -- the whole situation with that TLD is a clusterfuck now :( I can't renew the one I had.